Hi,
my configuration is as follows:
input {
beats {
port => "5043"
}
}
filter {
if [message] =~ /IDRequestType [Varchar2 \d+] = '([A-Z_])'/ {
grok {
match => ["message", "(?<procedure>\S)\s(?<taskTag>[0-9a-f]{32})\sIN: actionType [Varchar2 \d+] = '(?<actionType>\w+)'\sOUT: IDRequestType [Varchar2 \d+] = '(?<idRequestType>\w+)'"]
}
} else {
grok {
match => ["message", "(?<procedura>\S*)\s(?<taskTag>[0-9a-f]{32})\sIN: IDRequestState [Varchar2 \d+] = '(?<idRequestState>[A-Z])'"]
}
elasticsearch {
index => "indexname"
query => 'taskTag:"%{[taskTag]}"'
fields => {"idRequestType" => "idRequestType"}
sort => "idRequestType.keyword:desc"
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "indexname"
}
}
But it seems that querying is not working for every event. I get output like this:
{
"_index": "indexname",
"taskTag": "b5feaf378733493c953fbca7d0a53e92",
"source": "/home/elk/logovi/Trace-2017-10-31-19.log",
"message": "Mw.Common.Database b5feaf378733493c953fbca7d0a53e92 IN: RequestState [Varchar2 3] = 'C'",
"type": "log",
"tags": [
"beats_input_codec_plain_applied"
],
"@timestamp": "2017-12-11T13:28:14.244Z",
"idRequestState": "C",
"procedure": "Com.IGT.Mw.Common.Database.DbAccess+DbTxn.Execute",
"@version": "1",
}
}
and
{
"_index": "indexname",
"taskTag": "a480a751d8ae4eaaa454ca0156f031c9",
"source": "/home/elk/logovi/Trace-2017-10-31-16.log",
"message": "Mw.Common.Database a480a751d8ae4eaaa454ca0156f031c9 IN: IDRequestState [Varchar2 3] = 'C'",
"type": "log",
"tags": [
"beats_input_codec_plain_applied"
],
"@timestamp": "2017-12-11T13:28:14.245Z",
"idRequestState": "C",
"procedura": "Mw.Common.Database",
"@version": "1",
"idRequestType": "CASH_HQ"
}
As you can see once it looks like elasticsearch query has run as it should, but once it somehow fails. I cannot see anything in logs, no errors, no warnings...
Does anyone have any idea where I am wrong?
Thank you!